If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?

Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions.

Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.

Why is it important to have an adequate compliance training program?

It is important for a residential mortgage lender to develop and implement a written compliance training program to provide employees with the tools needed to succeed given the various rules and regulations that apply and because of the constant regulatory changes. Regardless of a residential mortgage lender’s size, a well-developed compliance training program is a critical component to an effective compliance management system (“CMS”). As part of a thorough CMS, a robust training program helps a company and its employees keep up-to-date on regulatory changes that may impact the business, make correct decisions, manage risks, and avoid costly errors or other legal and/or compliance missteps.

A residential mortgage lender’s compliance training program should be current, effective, and commensurate with the entity’s size and risk profile. Oftentimes, this requires training courses to be specifically tailored to reflect how a company operates. It is important that all employees be familiar and in full compliance with a company’s policies and procedures, as well as federal and state consumer protection laws. Employees should also receive comprehensive training based upon their job functions and responsibilities.

Per the Consumer Financial Protection Bureau’s Summer 2013 Supervisory Highlights edition (, mortgage lenders must provide ongoing training to Board members management and staff. Further, certain federal and state rules and regulations require training on specific subject matters at least annually. For example, mortgage lenders must provide anti-money laundering and privacy/security awareness training at least annually.

It is recommended that all training (whether informal or formal) be tracked and memorialized so that a mortgage lender can demonstrate to its regulators that employees are properly completing courses. Further, requiring a test component helps ensure employees are sufficiently grasping the material presented. It is important to note that no two compliance training programs will be identical. Your company’s size, organizational structure, and geographical reach may dictate the structure of your program.

I’m applying for Fannie Mae approval but am unsure of the difference between a Quality Control Audit (QC) and Internal Audit. What exactly is the difference?

A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions, as applicable. A QC audit looks at the end product, regardless of whether the process is credit or compliance focused. Generally, QC audits, which are forms of transactional testing, are narrower in scope than Internal Audits.

Internal Audits review for and identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. To this end, an Internal Auditor will perform a number of tasks, such as review policies, procedures, and reports, conduct management interviews with the respective business units to gather information on the process evaluated, document evidence of the process through walkthroughs, and perform transactional testing, as needed. The focus is not necessarily on the end product as is the case with a QC audit, but rather the focus is on the adequacy, soundness, and effectiveness of internal controls within a process to ensure that the mortgage lender attains the end result sought while complying with Agency and investor guidelines, laws and regulations and industry best practices.

When will it be mandatory to use the new Uniform Residential Loan Application (URLA) and what are some of the changes?

Originations commencing July 1, 2019 may use the redesigned URLA and all new loan applications commencing February 1, 2020 must use the new URLA. Given that the new URLA was designed to make it easier for lenders to acquire data required by HMDA, it is expected that lenders will require use of the new URLA before the mandatory implementation date in February 2020.

The application has more than doubled in size. The length of the new URLA will vary depending on the number of borrowers, type of loan and type of the transaction (sections are added or deleted based on loan scenarios). The look and feel of the redesigned URLA is similar to the Loan Estimate and Closing Disclosure and contains what is considered more easily understood language and clearer instructions. The GSEs also created a Spanish version of the new URLA form. However, a completed English URLA must be signed by all applicants.

A few highlights of the new URLA are as follows:

  • New fields have been added based on new federal regulations. For example, there are correct fields for the new demographic information required by HMDA since January of 2018 thereby retiring the Demographic Information Addendum currently utilized.
  • Obsolete fields have been eliminated. For example, the applicant is no longer required to list the make and model of their automobile.
  • There is defined separation of individual borrower applications.
  • The information a borrower must provide, acknowledge and agree to has been separated from the information the broker/lender collects and verifies in connection with the processing and underwriting of the loan.

The redesigned URLA, as well as some FAQs and hints, can be found on the Fannie Mae website here:

The new URLA is a complete reinvention of the origination of a loan. Brokers and lenders will need to start collecting much more information, which was not previously collected. It is advisable to review the new URLA and start planning how you will collect that data once required.